Socials

AWS ReInvent19 – Security Announcements

I didn’t attend any AWS reInvent or reInforce conferences to date, however, I never missed any AWS reInvent Security Announcements !! Even this year I watched the reinvent sessions and keynotes while relaxing at home with some popcorn and drinks 😀

Major announcements for Identity, Security, and Governance during this year’s AWS reInvent:

Personal Thoughts: If you’re trying to think that you can replace commercial SAST tools with CodeGuru, it’s not worth to try(as of now). In terms of security code review, this is still a half-baked product from AWS. However, I believe AWS learns from customer feedback and improves this product very soon and customers can leverage this for secure code reviews as it has out of the box integrations with code commit, GitHub and security hub.I scanned a DVWA type of app using CloudGuru and noticed two limitations, Cloudguru only supports Java Language and it didn’t identify the hardcoded credentials vulnerability.

Amazon CodeGuru is a new machine learning service for development teams who want to automate code reviews, identify the most expensive lines of code in their applications, and receive intelligent recommendations on how to fix or improve their code. Even for the most seasoned engineers, it can be difficult to detect some types of code issues even through peer code reviews and unit testing. It can also be challenging to identify the most resource-intensive code methods without needing performance engineering expertise. CodeGuru helps you catch code issues faster and earlier, and improve application performance.

CodeGuru Reviewer detects and flags wide-ranging issues in source code such as thread safety issues, use of un-sanitized inputs, inappropriate handling of sensitive data, and resource leaks. It also detects deviation from best practices for using AWS APIs and SDKs, flagging common issues that can lead to production issues, such as detection of missing pagination or error handling with batch operations. CodeGuru Profiler is always searching for application performance optimizations, recommending ways to fix issues such as excessive recreation of expensive objects, expensive deserialization, usage of inefficient libraries, and excessive logging. CodeGuru Profiler runs continuously in production, consuming minimal CPU capacity so it does not significantly impact application performance.

Amazon
Web Services (AWS) announces the availability of EC2 Image Builder, a service
that makes it easier and faster to build and maintain secure images. Image
Builder simplifies the creation, patching, testing, distribution, and sharing
of Linux or Windows Server images.

Keeping server images up-to-date can be time-consuming, resource-intensive, and error-prone. Currently, customers either manually update and snapshot VMs or have teams that build automation scripts to maintain images.

Image Builder significantly reduces the effort of keeping
images up-to-date and secure by providing a simple graphical interface,
built-in automation, and AWS-provided security settings. With Image Builder,
you can easily build your automated pipeline that customizes, tests, and
distributes your images in addition to keeping them secure and up-to-date.

Image Builder is available in all AWS regions and offered at
no cost, other than the cost of the underlying AWS resources used to create,
store, and share the images.

AWS Security Hub now integrates with AWS Identity and Access Management (IAM) Access Analyzer. IAM Access Analyzer is an IAM feature that makes it simple for security teams and administrators to check that their policies provide only the intended access to resources. The IAM Access Analyzer integration with Security Hub will send findings to Security Hub when policies allow public or cross-account access to resources. Security Hub will automatically enable this integration if you are already using IAM Access Analyzer, and you will begin receiving findings from IAM Access Analyzer without any action needed on your end.

Amazon Detective is a new service in Preview that makes it
easy to analyze, investigate, and quickly identify the root cause of potential
security issues or suspicious activities. Amazon Detective automatically
collects log data from your AWS resources and uses machine learning,
statistical analysis, and graph theory to build a linked set of data that
enables you to easily conduct faster and more efficient security
investigations.

Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Personal thoughts: I thought GuardDuty analyzes cloudtrail and vpc flow logs by default, not sure why AWS made it look like Amazon Detective analyzes logs that are already analyzed by GuardDuty.

The work-flow is pretty interesting and it looks like AWS is entering the Cloud-native SIEM world slowly:

A lifesaver for security folks who have centralized logging by creating an organization-wide S3 data lake (cloudtrail, cloudwatch, VPC Flow Logs, Server Logs, API Requests, Load balancer logs etc..) and running a commercial SIEM on top on these logs. In a few organizations, it’s a nightmare to manage this access at scale when multiple Business Units request data that belong to their Apps/Servers and security team have to ensure they don’t have access to data that belongs to other BU’s.

Amazon S3 Access Points is a new S3 feature that simplifies managing data access at scale for shared data sets on Amazon S3. With S3 Access Points, you can easily create hundreds of access points per bucket, each with a name and permissions customized for the application. This represents a new way of provisioning access to shared data sets. Whether creating an access point for data ingestion, transformation, restricted read access, or unrestricted access, using S3 Access Points simplifies the work of creating and maintaining access to shared S3 buckets.

You can easily add access points as your application set and
storage scales, and you no longer have to worry about managing access through a
single bucket policy that spans dozens or hundreds of use cases. S3 Access
Points are unique hostnames that you can create to enforce distinct permissions
and network controls for any request made through the access point. S3 Access
Points policies allow enforcing permissions by prefixes and object tags,
allowing limits on the object data that can be accessed. Any S3 Access Points
can be restricted to a Virtual Private Cloud (VPC) to firewall S3 data access
within your private networks, and AWS Service Control Policies can be used to
ensure all access points in an organization are VPC restricted.

Limitation as of today: Access points can be used to provide access to your bucket. The S3 console doesn’t support using virtual private cloud (VPC) access points to access bucket resources. To access bucket resources from a VPC access point, you’ll need to use the AWS CLI, AWS SDK, or Amazon S3 REST API

Access Analyzer for S3 is a new feature that monitors your
access policies, ensuring that the policies provide only the intended access to
your S3 resources. Access Analyzer for S3 evaluates your bucket access policies
and enables you to discover and swiftly remediate buckets with potentially
unintended access.

Access Analyzer for S3 alerts you when you have a bucket
that is configured to allow access to anyone on the internet or that is shared
with other AWS accounts. You receive insights or ‘findings’ into the source and
level of public or shared access. For example, Access Analyzer for S3 will
proactively inform you if read or write access were unintendedly provided
through an access control list (ACL) or bucket policy. With these insights, you
can immediately set or restore the intended access policy.

When reviewing results that show potentially shared access
to a bucket, you can Block All Public Access to the bucket with a single click
in the S3 Management console. You can also drill down into bucket level
permission settings to configure granular levels of access. For specific and
verified use cases that require public access, such as static website hosting,
you can acknowledge and archive the findings on a bucket to record that you
intend for the bucket to remain public or shared. You can revisit and modify
these bucket configurations at any time. For auditing purposes, Access Analyzer
for S3 findings can be downloaded as a CSV report. Access Analyzer for S3 is
available at no additional cost in the S3 Management Console.

Most global networks today include resources that are both located in the cloud and on one or multiple on-premises locations. To monitor that entire global network, you often have to stitch together data from the cloud and your premises. This results in an inconsistent management and monitoring experience. You need a simple solution to build and manage your global network across the cloud and on-premises.

AWS Transit Gateway network manager provides a single global
view of your private network. Start by registering your AWS Transit Gateways
and defining your on-premises resources. You can then visualize and monitor
your global network from a centralized, operational dashboard. This enables you
to visualize your global network in a topology diagram and in a geographical
map. You can monitor your network using CloudWatch Metrics, as well as
CloudWatch events for network topology changes, routing updates, and connection
status updates. There are no additional fees for using Network Manager. You are
charged the standard fees for the network resources that you manage in your
global network (such as transit gateways).

Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts. Fraud Detector uses machine learning (ML) and 20 years of fraud detection expertise from AWS and Amazon.com to automatically identify potentially fraudulent activity so you can catch more fraud faster. With Fraud Detector, you can create a fraud detection model with just a few clicks and no prior ML experience because Fraud Detector handles all of the ML heavy liftings for you.

Amazon
Elastic Container Service (ECS) now supports Windows group Managed Service
Account (gMSA), a new capability that allows ECS customers to authenticate and
authorize their Windows containers with network resources using an Active
Directory (AD). Customers can now easily use Integrated Windows Authentication
with their Windows containers on ECS to secure services.

ECS support for Windows gMSA allows customers to keep user account identity configuration separated from the container image while at the same time easily adopt an Active Directory security context across multiple services in the customer’s application. Customers that wish to containerize and deploy .Net applications on ECS can use gMSA for service to service authentication to the application like SQL server without having to provide the password.

Customers can configure their containers to use one or more
gMSA already registered with their AD by passing the credential spec file
through the dockerSecurityOptions field in ECS task Definition. See our blog
post for more information on using ECS Support for Windows gMSA.

Related Posts

What is CloudTrail and how can it be disrupted? With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made via Read more…

Shifting strategy from DevOps to DevSecOps An introduction to the devsecops and the strategy for implementing DevSecOps culture is presented by Setu Parimi on 29th July 2018. It’s a session focussed on a high-level overview of devsecops Read more…

Introduction CloudSploit is an AWS compliance, security and configuration monitoring scanner which is the first of its kind. It is an open source project designed to detect security risks in AWS. The CloudSploit Scans is built Read more…